Catch the full episode: https://www.wealthformula.com/podcast/172-ask-buck/ Buck: submitted by
Welcome back to the show everyone we have a number of questions today on Ask Buck so I am gonna get with it right away the first question is from Beau Cannington. He’s a member of Investor Club and Wealth Formula Network. Here's his question. Beau Cannington:
How much of a negative impact do you think that a rising interest rate environment will have on our commercial real estate investments and specifically the syndication investments with Western Wealth Capital? Thank you very much. Buck:
So Beau good question especially on paper right makes a lot of sense that potentially rising rates could be problematic for multifamily real estate or really for any kind of real estate. But let's go back to basics first because I think it's important, a lot of people don't have a good enough understanding of this in the first place which is when does leverage help you in the first place when does it help to borrow money from the bank? Well leverage only really helps you if you're borrowing at a rate that is less than your effective cap rate and what I mean by effective cap rate is you know you're gonna constantly drive net operating income into a property if you're increasing value of the property if you're in a value-add situation. That's what we do in the Western Wealth Capital opportunities that you're talking about. But that rate at which you borrow has to constantly and always be above your effective cap rate otherwise it's gonna hurt you. All leverage does is to simply amplify the directionality of your profit or losses. So just like it makes you profit more if your effective cap rate is greater than your interest rate, if that you know that income drops to a point where now your cap rate is actually below the interest rate, it's gonna magnify your losses. So that's at a very basic level hopefully that makes sense if it doesn't real issen to it because it's critically important and for some reason you know a lot of people don't pay attention to that especially people who are just getting into real estate for the first time it's really important. Now let's talk about the idea of interest rates themselves I mean the one that most people are familiar with is the one that's on the news all the time. It's a Fed Funds rate you know people call benchmark rate whatever. It's the one that's set by the Federal Reserve and the way I think about the Fed Funds rate is that it's an indicator for whether or not the economy is healthy it's it's sort of a barometer when the rates are getting hiked the economy is in pretty good shape and the Fed is trying to prevent it from getting too hot and to you know potentially prevent inflation. On the other side when the you know Fed lowers rates, like it just did by the way, it signals some level of concern about the economy it you know suggests that maybe there's some deflationary activity going and suggest that there's some recessionary activity going on. You know ultimately the Fed rate is you know it's set by the Fed and it's it's a tool of monetary stimulus to try to control inflation and ultimately mitigate recessionary cycles so it's a way for the Fed to control the economy you know it's one of the ways that they try to control the economy one of the monetary pulse. Now the Fed Funds rate does not equate to mortgage rates I I hear a lot of people you know like on social media and stuff talking about had funds rate goes the perfect time for me to go shopper shop a loan or something like that and well you should know a little bit more than that if you're in the business of real estate and taking loans out but you know I mean I'm seeing like syndicators do that. The Fed fund rate really affects short-term and variable adjusted rates really it's really an indication of what's going on right now in this economy in the very short term. And mortgage rates of course then are far more complex mortgage rates reflect sort of a longer-term health of the economy and they're probably there's a lot that goes into them but probably the thing that you need to watch the most is the ten-year Treasury which is much more a reflection of you know the long-term rates what the market thinks to the markets gonna be in the future right so if there is a belief that there is you know inflation on the horizon you probably see those rates start to rise. Inflation tends to rise when the economy's you know hot so anyway now again so what you should be looking at is the 10-year Treasury now I'm giving you a little bit of background rather than just answering Beau’s question initially but the good news right now is that the Fed fund rate was actually cut so it's actually not going up anyway so we don't need to worry about that right now but what we we also had a big dip in the tenured Treasury so our mortgage rates are very favorable right now as well now that's interesting because that happened before the Fed cut rates you know we recently closed on something within our Investor Club and got really good rates and that was before the that was because the treasury took a dive before it took a dive right before you know the hope this whole thing in the last week or so couple weeks where there's actually a Fed rate. But let's move back again and you know to Beau’s question. Say mortgage rates were going up what would that mean and how would that affect our investments? Now presumably that would be a suggestion that the 10-year Treasury as we talked about was going up which would also be suggestive of an inflationary environment. Now here's where it's really helpful to be invested in real estate like multifamily real estate which is of course my sweet spot. Inflation also means that we raise rents more right so in other words as rates go up so to our rent. So the ten-year Treasury is reflective of inflation when we and so the rates go up but so do rents proportionally and so theoretically we should be in good shape and not worry about it too much because it's really just an adjustment for inflation if you think about it that way. Bottom line is for me personally I don't worry too much about rates when it comes to our Wealth Formula accredited investor opportunities that we're doing and one of the reasons for that is we are incredibly aggressive about value add. So we're constantly in decompression mode as well and we're you know we're locked in to some good rates here too so. Now in addition if you look at the speed at which you know some of these companies work like Western Wealth Capitals the one you mentioned and they're forcing equity into these assets like you know incredibly fast so you're in a dynamic mode of decompressing cap rates in real time and that effectively again de-leverages the asset altogether. So if you found that confusing, listen to it again. But bottom line is if you take nothing else away from this I would tell you that interest rates in general mortgage rates will reflect inflation. So if inflation is going up rates are gonna go up and vice versa and so they tend to cancel each other out don't worry about it that's what I would tell you. If anything rates going down might be potentially more of a concern simply because that's a much more of an indication of an economy that's not healthy. Now we're doing you know BC classed multifamily I still think we're positioned very well so again I don't worry about it too much. Okay let's see next question from Chris Odegard another Investor Club guy and also another Wealth Formula Network guy so Chris here you go. Chris Odegard:
Hey Buck. Chris Odegard here in Kent Washington. My question relates to asset classes. If I remember correctly from Tom Wheelwright he talks about four asset classes: paper or commodities, real assets, real estate real assets aka real estate and businesses. So I believe that you know if I'm a shareholder in coca-cola that's paper but I'm also a private shareholder in a number of small start-up businesses so because my ownership of private shares and small businesses constitute a paper asset or a business asset? And if that's still a paper asset you know what makes you a have what makes you have an investment in business since most of the time you know if you're an owner or part owner of a small non publicly traded business it's usually their share so anyway I'm kind of struggling with the distinction between paper and a business asset classification so appreciate your help on that. Thanks. Buck:
So Chris I thinkx first of all let's back up and just say you know the reality is that these are you know these are just definitions right and there's a gray area between them and we can use them to guide us a little bit as we appropriate things into the right quote-unquote basket but you know we shouldn't get hung up on them too much but let's go back and review the definitions right so what are what are paper assets. So well let's talk about what real assets are so real assets are physical assets right and the thing that they are known for is that they have intrinsic worth due to their substance and property so precious metals commodities real estate land equipment natural resources these all have some kind of intrinsic value to them whereas paper assets would be assets where ownership’s defined only by paper like as you mentioned stocks and currencies and bonds and things like that. The reality is that in in some cases like you're talking about the definitions might not be as useful it might be a better idea to simply ask yourself in a sort of a common-sense way well what is it that I actually own? You know if you own businesses that are not asset heavy lots of you know and what I mean by assets heavy is like you know lots of machinery, stuff that you could liquidate, it's probably fair to put it in the you know the paper side of things. On the other hand if you have a business that as a significant balance sheet of stuff that could be liquidated you might actually put it in you know the real asset bucket. But I will tell you in knowing yours what you're talking about you invest in a lot of startups I would say that I personally would probably never consider an investment limited partner investment in a start-up as a real asset I mean I think the bottom line is that most of those businesses are not going to have a significant amount of equity or collateral to back your debt so there's not a lot to liquidate there's not a lot of intrinsic value in those businesses other than their ability to produce income. So that's where I would put that. Now what gives real estate and precious metals let's go back to that real status well it's ultimately again their inherent value. that it can't really be erased the way a stock price can go to zero. Or frankly if you talk about businesses what happens if the business that you're invested in Chris what if that goes to zero right? If there's no profit if there's no nothing to distribute etc it's not worth anything anymore right so that that to me is probably the biggest thing to distinguish. Although I should bring up I keep thinking about this as we're talking that you know I was listening to the Peter Schiff they still like to listen to I think he's a smart guy just you know he's a little stubborn and he's always thinking the this guy is falling which I don't I don't agree with him but you know he's on this big rampage against Bitcoin and he's been debating all these people about gold versus Bitcoin which I actually think it's kind of a silly debate because I think the gold and Bitcoin people should sort of you know be on the same side but I think you know it might be in part because Peter sells gold and it's a good opportunity to get in front of people, but one of his arguments about gold is that the reason that it has value is that it has intrinsic properties and those intrinsic properties are that it can be used you know to melt down and make stuff and I think there's true but the problem with this argument there in my opinion is that seriously for those of you who are out there like owning gold have you've owned a few ounces of gold and you store it somewhere are you seriously owning it because you know because you might be able to use it sometime or because somebody might be able to use it or are you using it because somebody thinks it has a value? I would argue that the reason you own it in most cases unless you're like a big jewelry buff or whatever is because somebody because you or you want somebody else to you know at some point pay you more for that then what you bought it for so in that respect it's not a whole lot different from like Bitcoin right like you know people the value of gold it has to do with the fact that it also has a monetary value it's really seen that way if you took that out of it and all of it was just a matter of it being jewelry it would not be worth as much as it is but anyway that's my take on that a little unrelated but I thought I would throw in that commentary. Next question let's see is from Ramin Rafie here we go. Ramin Rafie:
Hi Buck. I'm a physician general practitioner. I've been out of residency for about decade now. I have been an employed physician working for a larger corporation making house calls and a hospice director for their large healthcare organization which actually has recently been bought by an insurance company, that's a whole nother story. I actually went to medical school in California. And I've always wondered if it's feasible for me to open up my own kind of practice I don't know enough about the tax structures reimbursement etc, etc. I understand insurances are a big problem and you have to hire a lot of staff that's a waste of resources to strike to insurances but I was debating if solo practitioner doable perhaps direct primary care and if so is one better off just doing a cash face back to this and the legal structure of either having an LLC or an S corp or C Corp I don't know if you can operate on that that's gonna be I guess I need to talk to it accounts it's about that I figured I'd ask you and you might know you might not but I enjoy listening to your podcast it's amazing how many physicians up there are in the same boat. Thanks great time. Buck:
Alright so we do have a lot of physician listeners non-physicians to probably about in case you're wondering it's probably about but not just physicians but health care people right so you know physicians dentists and you know you know high doctors and you know all sorts of stuff, chiropractors and that's probably because well I've had a healthcare background myself on doing a few different kinds of surgery and stuff like that but thanks for the question. I'm gonna try to I mean there's a lot there and I think honestly the truth of the matter is I'm not necessarily an expert on all of these issues but you know some of the things I can answer I think will be relative relatively useful to anybody who's thinking about going on their own. First of all I'd say that if you're starting your own thing you know it an LLC is generally going to always be the best structure for a small business for maximum flexibility you can take, if for some reason you want to be taxed as a c-corp you could where you do an S selection so that's pretty easy. The answer your question of you know can you do it the answer is absolutely yes. There are solo practitioners out there now and you can do it and you could probably do it better and that's always generally been my philosophy when starting businesses usually I don't start businesses I'm you know I don't start businesses that have not in some way shape or form shown that they can be a success, I usually rip off somebody's idea and then pivot a little bit add a little bit something and executed and so I think to the extent that there are plenty of sole practitioners out there in California still I think it absolutely can be done. You know so your question about cash versus insurance based medicine just keeping it brief I'll tell you that it's not really an expertise of mine but by but what I can tell you is that coming out of the door with any business if it's just a cash business you're gonna have to advertise like crazy and you're gonna have to run it like a business which not everybody is ready for so the nice thing for physicians and dentists sometimes is that you know if you do take third party payers like you know these insurance companies they drive patients to your door so especially in the area of primary care there's a shortage so I don't think you'd have any trouble if you took insurance getting filled up really quickly and succeeding. Now as far as advice on how to move forward in general first you know again in this applies anybody who's starting a business and anything in my opinion, first of all finding somebody who's doing what you you know you want to do in another market and kind of copy them if you can reach out to them even better if they're not in a competing market but find in you’re case find a you know solo practitioner market that's similar to what you're trying to do and is showing a success and you know see if they're willing to spend some time with you I would offer to pay them because everybody's helpful until it's like damn I'm busy and this guy wants me to help him. But I think if you say hey now you get a successful thing there I'm looking for some help and you know looking for some consulting from a successful practice it might be useful. Another option of course is to go straight to a consultant and again this applies to every business in my opinion. Of course there's a lot of you know consultants out there. I had one for my first practice ultimately it was a cosmetic surgery business and again I ran this thing not like a medical thing, I didn't take any third-party insurance and stuff but I marketed like crazy I knew nothing about running a business or marketing when I started this the business I set out to start ended up looking nothing like the one I ended up with. What I ended up with was a lot better because I learned a lot on the job. But a lot of the back end things whether it's medical whether it's you know any kind of business or the same right I mean you've got to figure out how do you pay bills how do you set up all the systems accounting payroll and that for me where the consulting was like a really useful thing and I'm you know at the time I think I must have paid like twenty five thirty thousand dollars for and it seemed really expensive but I can tell you in any start-up situation you are much better off spending some money up front with someone holding your hand getting you started quickly and you know I have been you know. I literally have friends I have a couple of friends who've been trying to start up their own practices from multiple years now they could have been up and running in like three months if they just had paid somebody to get it done. So don't be that person you know anyway that's a message for everyone really if you have a problem, now remember this if you have a problem that you can write a check to someone to fix, you don't have a problem right? So that's the way you deal with this stuff don't spend all your time trying to deal with stupid little problems think of yourself as a you know is a thoroughbred right I mean you save yourself for you know high-value tasks. If you mess around and try to do everything yourself you're gonna end up worse I pretty much guarantee it, that goes for anyone starting any kind of business for the first time. So finally I would just say that I don't know a single I don't know a single health care provider in particular I know there's a lot of you out there with your own practice that once you have your own thing would ever go back to working for someone else or who'd ever want to go back for working for someone else, I know some of you have done it after you've sold your practice which is different you sitting on a huge chunk of cash but if you have any sort of entrepreneurial spirit and like the idea of not having limits on the upper end I would highly encourage it. All right so hopefully that's helpful and you know it's broadly I think it's broadly applicable to a lot of people who have ever contemplated any kind of entrepreneurial activities. So let's see the last one that's an actual voice one so let's do that from Ravi. Ravi Ghanta:
Hi buck this is Ravi Ghanta I just wanted to say thank you for all of your hard work and for providing such valuable information to this community. As part of the investor I've gained so much knowledge from you as well as from your guests on your podcast. Unfortunately I have not been able to attend the Meetup and I won't be able to go to the next meetup in Dallas in September, however I was wondering if you would consider creating a directory of some sort where those who are willing to provide their name their mailing address email address or even phone number to create a community where we can interact with each other you know perhaps by having this information we can even meet up with each other in different places informally, we can also discuss things you know we may all many of us are in the medical field and other specialties or other aspects of business and crafts developing contacts in that way just a thought. But once again thank you for your insightful information and I look forward to continuing to work with you. Thank you. Buck:
All right thanks Ravi. Ravi again is a member of the investor group now I don't think Ravi's part of Wealth Formula Network and that could be part of the confusion or not confusion but part of the question you answer the question which is, is there community that you could join or have you know or have some additional contact. The first thing I'm going to tell you there is that's really what Wealth Formula Network was really all about. So Wealth Formula Network is the online private community we have you know a very strong community there are a lot of people who are really just interested in connecting with one another it is of course that started out with the course and the course was with you know with Tom Wheelwright, Ken McElroy real estate guys bunch of guys I know sort of us gives you the bases gives you the foundation for things that we talk about and then we have these bi-weekly phone calls these bi-weekly phone calls are very useful they're not just phone calls they're zoom phone calls zoom video so we can see each other it's very personal and we have very in-depth conversation, people who are on in well formula Network often create relationships off line off community and that's certainly an option for you. In terms of online communities I would say that I probably wouldn't do anything else and the reason being that anytime you preside over an online community you kind of have to keep an eye on it and I I have well formula Network and that's really all I really want to focus in on I don't really want to you know monitor other sites. As far as you know people putting their information out and stuff I don't necessarily have a problem with that the thing that I worry about is if it's anywhere that people can access, I worry about your privacy because you know we have an extremely robust audience here including you know an accredited investor list of over a thousand people and if there's some like you know advisors registered advisors or you know people who are trying to get to those people they will spam you like crazy if they ever got a hold of that. But Ravi let me think about it because there could be a way to do you know to what you're talking about to a certain extent you know we certainly like I said we certainly already do this kind of thing and within Wealth Formula Network if that's of interest you check it out WealthFormulaRoadmap.com I think you'd probably really enjoy that if you enjoy the show. So all right I don't have any more video I don't have any recorded questions I have a couple of written ones I'm going to get to those the first one says is from Robert McLeod
. He says I've been listening your podcast for the last couple years now I know you're a huge proponent of investing in real estate assets especially multifamily but I can't remember you've ever discussed mobile homes. I was wondering if you've looked into investing in or thought of mobile home park space. Thanks for the informative podcast. So it's a sensitive thing because I know there's a lot of people were interested in that people listen to this and friends of mine who are involved in this but you ask I'll answer. To be honest I'm not a big fan of that space right now here's why the cap rates on these things are approaching multifamily real estate right multifamily can always be improved significantly and attract higher level tenants and then areas get gentrified, they get improved I mean there's some improvement ability in mobile home parks right but it's really capped I mean think about it at some point you don't want to live in a damn mobile home anymore right. so here's a good example of you know how multifamily doesn't really have on that cap Chicago Lincoln Park is one of the like fanciest parts of Chicago's really expensive jam-packed full of mansions and stuff now, but there's also a bunch of apartment buildings that are over a hundred years old and you know forty years ago Lincoln Park was an absolute dump and it was dangerous and no one wanted to live there and then it got gentrified and all these places that were probably low income housing are now these incredibly luxurious apartments have been upgraded like crazy and now they are you know now they're multi-million dollar asset selling at ridiculous cap rates. Now tell me how do you do that with a mobile home community? You can't right. So at some point if people are doing well they want to move out of a mobile home park so you can't keep raising rents and expect people to live there so that's one reason so now so if you're capped on an appreciation of rents it's gonna cap your equity upside so now the syndicators out there that I'm seeing especially on the limited partners side are giving returns that frankly are inferior to what we're getting in multifamily an investor club by a longshot I know some of you like this area but I don't and I sure as hell would never invest in a limited partnership like this for returns that are less than double-digit again that's just me though. So finally let me just say this, my philosophy right now in general, buy quality assets don't buy crap okay. I see people posting stuff on Facebook about single family you know Class C Class D homes they bought we're supposed to cash flow like crazy and they you know all they have is problems now you know the idea is that these things might look good on numbers but when you add in the capex and paying for damages and you tenants I mean you may not cash flow at all people are losing money on this stuff left and right so there's a reason why these numbers look so good on paper because they're not good investments and people are trying to sell you them so bottom line is I'm not saying that mobile home parks are you know bad for everyone. I'm just saying that I personally look at the alternative and the alternatives from me are better. I prefer to focus on high quality assets and markets that are growing quickly right. I mean to me I mean it may be boring and repetitive what I do but I can tell you from personal experience it works and I think chasing yield in the idea of going to lower quality assets are going to tertiary markets is a very very bad idea because those are the markets those are the areas in my view that are going to suffer the most if and when there's a significant recessionary activity or market turnaround so hopefully that answers that. Next question Mark Dvorak
. Hello can you talk about on your podcast about real estate professional? I feel like it's the ultimate green card to play in real estate as passive losses are you limited? Everyone only talks about this powerful designation briefly. Like the 750 hour rule, can two people count towards those? What are the max deductions and then he says for LP is what are the max deductions one can get without being a real estate professional, a show detailing all these options. Well let me just be brief about this, the reason people are briefed about it is because for the most part there the definition of real estate professional is this ok 750 hours of documented actual work in real estate like not just being a limited partner but you know looking for real estate acquiring you know talking to people whatever you got to have that 750 hours per year and it can't be two people no it has to be one person and you can't have anything that you're doing more of so it's not I've heard some people say they're gonna try to do it with a full-time job I just don't recommend it I think the IRS is gonna not take you seriously in that situation but you know you could try. In that situation of course the losses there's no cap to your losses. The beauty of it is what what you're talking about is say you have a spouse who has a W2 income that's active income but as you as a professional real estate professional all of the passive losses that you generate through depreciation where most people who are not real estate investors can only offset those against passive investments, you can offset that against active active income because your losses as a real estate professional your what would be passive loss has become activated. So if you've got $100,000 loss from real estate depreciation you could offset you know your hundred thousand dollars of your Weiss active income because you're filing jointly right. So that's that's the Holy Grail you're right I think it's a big deal and so but that's really all there is to it. I mean you have to find a CPA who can guide you on this you know I would recommend you know for somebody from WealthAbility and pretty much anybody there's gonna tell you all the right rules but really the issue with the that is you got to find a CPA who's going to tell you how to do it and then stand by you in in the event of an audit. An audit not it's not a bad you know it's not the end of the world it happens anybody's making money you gotta have somebody who is actually you know going to defend that successfully. So anyway that's it in terms of the caps about you know being a limited partner and what are some of the maximum deductions you can get without being a real estate professional the honest truth is that I don't I don't know that there's any really maximum deductions for real estate I mean listen if you have a hundred thousand dollars or two hundred thousand or a million dollars of passive income and you have those losses you have passive losses out of the same amount you could deduct it all so there's no cap at all. I mean the only thing I think there's a cap on I think charitable giving is about fifty percent you know charitable giving fifty percent but you know and then and then there's all your typical things that I don't you know I don't really get into about you know the basic accounting deductions and things like that for other things but I'll tell you from the standpoint of real estate there really is no cap on deductions, it's just you know it's what you have whatever if you're in the passive column as is a non real estate professional you could deduct all that and then the active side you could deduct all of your depreciation against all of your income. So that's pretty straightforward. Okay last question and it's from Betty
and she said Buck I heard you talking about a bad drug reaction you had a Minneapolis. What was the drug that gave you the bad reaction yeah so let me let me tell you about that I am those last show I talked about that was my near-death experience thing where I thought I was gonna die, listen to this show you'll get the whole story but bottom line is as it turned out it was a CBD tincture. And I took some CBD for my back in in Santa Barbara and it worked really well for me and then I don't know what was in this bottle that I bought but it just gave me some sort of crazy out-of-body experience and I'm it wasn't like being stoned okay I I've been to college I know what that feels like was something was very wrong, anyway it was the CBD it's a long story. Bottom line is if you are interested in that story and how what I came about listened to show where I talk about this in the last show I think it's probably last week according where this is and you will you'll hear about that. By the way, I'll say that you know riffing off that last show I'm looking again those vintage cars to things that mattered the most of lessons that I had there were to make sure to take care of your family so look at Wealth Formula Banking make sure you you know get into that and and and try to you know align your investments with legacy to a certain extent that's one of my takeaways the other one was to try to have a little bit of fun here and and don't always push it away into delayed gratification. Okay that's it for the questions today and we will be right back.
Show notes for Security Endeavors Headlines for Week 5 of 2019 InfoSec Week 6, 2019
(link to original Malgregator.com posting)
The Zurich American Insurance Company says to Mondelez, a maker of consumer packaged goods, that the NotPetya ransomware attack was considered an act of cyber war and therefore not covered by their policy. According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” One would think that the language in the cyber insurance policy was specifically designed to be broad enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers. Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But then Zurich stated that it wouldn't pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is not responsible for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. This is what Zurich believes constitutes "cyber war." https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html
Reuters reports that hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients. According to investigators at cyber security firm Recorded Future, the attack was part of what Western countries said in December is a global hacking campaign by China’s Ministry of State Security to steal intellectual property and corporate secrets. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients. https://www.reuters.com/article/us-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUSKCN1PV141
A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards. Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols.
This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.
According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks.The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network. Current IMSI-catcher devices target vulnerabilities in this protocol to downgrade AKA to a weaker state that allows the device to intercept mobile phone traffic metadata and track the location of mobile phones. The AKA version designed for the 5G protocol --also known as 5G-AKA-- was specifically designed to thwart IMSI-catchers, featuring a stronger authentication negotiation system But the vulnerability discovered last year allows surveillance tech vendors to create new models of IMSI-catchers hardware that, instead of intercepting mobile traffic metadata, will use this new vulnerability to reveal details about a user's mobile activity. This could include the number of sent and received texts and calls, allowing IMSI-catcher operators to create distinct profiles for each smartphone holder. https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/
The Debian Project is recommending the upgrade of golang-1.8 packages after a vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in the “go get” command, which could result in the execution of arbitrary shell commands. https://www.debian.org/security/2019/dsa-4380
It is possible to trick user’s of the Evolution email application into trusting a phished mail via adding a forged UID to a OpenPGP key that has a previously trusted UID. It's because Evolution extrapolates the trust of one of OpenPGP key UIDs into the key itself. The attack is based on using the deficiency of Evolution UI when handling new identifiers on previously trusted keys to convince the user to trust a phishing attempt. More details about how the flaw works, along with examples are included in the article, which is linked in the show notes. Let’s take a minute to cover a bit of background on Trust Models and how validating identities work in OpenPGP and GnuPG:
The commonly used OpenPGP trust models are UID-oriented. That is, they are based on establishing validity of individual UIDs associated with a particular key rather than the key as a whole. For example, in the Web-of-Trust model individuals certify the validity of UIDs they explicitly verified.
Any new UID added to the key is appropriately initially untrusted. This is understandable since the key holder is capable of adding arbitrary UIDs to the key, and there is no guarantee that new UID will not actually be an attempt at forging somebody else's identity. OpenPGP signatures do not provide any connection between the signature and the UID of the sender. While technically the signature packet permits specifying UID, it is used only to facilitate finding the key, and is not guaranteed to be meaningful. Instead, only the signing key can be derived from the signature in cryptographically proven way.
GnuPG (as of version 2.2.12) does not provide any method of associating the apparent UID against the signature. In other words, from e-mail's From header. Instead, only the signature itself is passed to GnuPG and its apparent trust is extrapolated from validity of different UIDs on the key. Another way to say this is that the signature is considered to be made with a trusted key if at least one of the UIDs has been verified. https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
If you’re up for some heavy reading about manipulation and deceit being perpetrated by cyber criminals, it may be worth checking out a piece from buzzfeednews. It tells a woeful and dark tale that does not have a happy ending. A small excerpt reads: “As the tools of online identity curation proliferate and grow more sophisticated, so do the avenues for deception. Everyone’s familiar with the little lies — a touch-up on Instagram or a stolen idea on Twitter. But what about the big ones? Whom could you defraud, trick, ruin, by presenting false information, or information falsely gained? An infinite number of individual claims to truth presents itself. How can you ever know, really know, that any piece of information you see on a screen is true? Some will find this disorienting, terrifying, paralyzing. Others will feel at home in it. Islam and Woody existed purely in this new world of lies and manufactured reality, where nothing is as it seems.” https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go
Security researchers were assaulted by a casino technology vendor Atrient after responsibly disclosed critical vulnerabilities to them. Following a serious vulnerability disclosure affecting casinos globally, an executive of one casino technology vendor Atrient has allegedly assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. The article covers the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed. https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
Article 13, the new European Union copyright law is back and it got worse, not better. In the Franco-German deal, Article 13 would apply to all for-profit platforms. Upload filters must be installed by everyone except those services which fit all three of the following extremely narrow criteria:
Available to the public for less than 3 years Annual turnover below €10 million Fewer than 5 million unique monthly visitors Countless apps and sites that do not meet all these criteria would need to install upload filters, burdening their users and operators, even when copyright infringement is not at all currently a problem for them. https://juliareda.eu/2019/02/article-13-worse/
Researchers from Google Project Zero evaluated Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS. There are bypasses possible, but the conclusion says it is still a worthwhile exploitation mitigation technique. Among the most exciting security features introduced with ARMv8.3-A is Pointer Authentication, a feature where the upper bits of a pointer are used to store a Pointer Authentication Code (PAC), which is essentially a cryptographic signature on the pointer value and some additional context. Special instructions have been introduced to add an authentication code to a pointer and to verify an authenticated pointer's PAC and restore the original pointer value. This gives the system a way to make cryptographically strong guarantees about the likelihood that certain pointers have been tampered with by attackers, which offers the possibility of greatly improving application security. There’s a Qualcomm white paper which explains how ARMv8.3 Pointer Authentication was designed to provide some protection even against attackers with arbitrary memory read or arbitrary memory write capabilities. It's important to understand the limitations of the design under the attack model the author describes: a kernel attacker who already has read/write and is looking to execute arbitrary code by forging PACs on kernel pointers.
Looking at the specification, the author identifies three potential weaknesses in the design when protecting against kernel attackers with read/write access: reading the PAC keys from memory, signing kernel pointers in userspace, and signing A-key pointers using the B-key (or vice versa). The full article discusses each in turn. https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html
There is a dangerous, remote code execution flaw in the LibreOffice and OpenOffice software. While in the past there have been well documented instances where opening a document would result in the executing of malicious code in paid office suites. This time LibreOffice and Apache’s OpenOffice are the susceptible suites. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event. To exploit this vulnerability, the researcher created an ODT file with a white-colored hyperlink (so it can't be seen) that has an "onmouseover" event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink. According to the researcher, the python file, named "pydoc.py," that comes included with the LibreOffice's own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system's command line or console. https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html
Nadim Kobeissi is discontinuing his secure online chat Cryptocat. The service began in 2011 as an experiment in making secure messaging more accessible. In the eight ensuing years, Cryptocat served hundreds of thousands of users and developed a great story to tell. The former maintainer explains on the project’s website that other life events have come up and there’s no longer available time to maintain things. The coder says that Cryptocat users deserve a maintained secure messenger, recommends Wire.
The Cryptocat source code is still published on GitHub under the GPL version 3 license and has put the crypto.cat domain name up for sale, and thanks the users for the support during Cryptocat's lifetime. https://twitter.com/i/web/status/1092712064634753024
Malware For Humans is a conversation-led, independent documentary about fake news, big data, electoral interference, and hybrid warfare. Presented by James Patrick, a retired police officer, intelligence analyst, and writer, Malware For Humans covers the Brexit and Trump votes, the Cambridge Analytica scandal, Russian hybrid warfare, and disinformation or fake news campaigns.
Malware For Humans explains a complex assault on democracies in plain language, from hacking computers to hacking the human mind, and highlights the hypocrisy of the structure of intelligence agencies, warfare contractors, and the media in doing so. Based on two years of extensive research on and offline, Malware For Humans brings the world of electoral interference into the light and shows that we are going to be vulnerable for the long term in a borderless, online frontier. A complete audio companion is available as a separate podcast, which can be found on iTunes and Spotify as part of The Fall series and is available for free, without advertisements. https://www.byline.com/column/67/article/2412
Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.
Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com.
Additional supporting sources are also be included in our show notes
More information about the podcast is available at SecurityEndeavors.com/SEHL
Thanks for listening and we'll see you next week!
My guest is Douglas Bakkum. He is the Co-Founder and CEO of the Swiss hardware wallet manufacturer Shift Crypto. Douglas holds a Phd in neuroscience and shifted his career from starting a scientific research lab in academia to building a hardware wallet manufacturer at a time, when no hardware wallets existed on the market. Douglas saw a problem and the need for a solution and started the ... The fourth part of the six-part series about Bitcoin in Africa is an interview with a young woman from Harare. She calls herself a Digipreneur and is working as a teacher, too. With her organization that is focused on the digitalization of Africa, she aims to bring Zimbabwe forward. As the use of Bitcoin is outlawed and the state of human rights and free speech is rather poor in Zimbabwe, we ... Bitcoin works using a system called 'blockchain'. Blockchain is a network of computers that all have access to every Bitcoin transaction that takes place. Each time a Bitcoin transaction is completed, the entire network is updated with this information so it can be validated by users on the network. The What Bitcoin Did Podcast. Summary: Against many challenges, Bitcoin, the worlds first true cryptocurrency has survived for over a decade. With What Bitcoin Did, podcast host Peter McCormack talks to experts in the world of Bitcoin. From developers to investors, journalists to Bitcoin company CEOs, you will learn about everything that is happening in the world of Bitcoin. Against many challenges, Bitcoin, the worlds first true cryptocurrency has survived for over a decade. With What Bitcoin Did, podcast host Peter McCormack talks to experts in the world of Bitcoin. From developers to investors, journalists to Bitcoin company CEOs, you will learn about everything that…
In Part 8 of the Bitcoin Beginner’s Guide I talk to Peter Van Valkenburgh & Jerry Brito the Director of Research & Executive Director at Coin Center a non-profit focused on the policy issues for ... Noelle Acheson, director of research at CoinDesk, discusses the effect that coronavirus has been having on the traditional financial markets, Bitcoin and why Bitcoin is not turning out to be the ... Join us as we decrypt Bitcoin, from its enigmatic beginnings in late 2008 to a look at its promising future. We’ll also explore the breakthrough technology underneath it—”the blockchain ... Dear crypto community and blockchain buddies across the globe... Welcome back to the no BS blockchain channel covering bitcoin, cryptocurrency and everything around FinTech. Episode 9 is with the ... In this weekly security podcast, Corey Nachreiner, CISSP and Director of Security Strategy for WatchGuard Technologies, summarizes the week's biggest network and information security stories ...